Skip to content
All about technology.All about cybersecurity.

Persistent Threat after Microsoft Data Violation: Security Concerns Continue

Recently, a security flaw was uncovered in Microsoft's SharePoint system. Despite the availability of the security patch, numerous businesses have yet to implement it.

 and  Administrator
3 min read
Persistent Threat Looms after Microsoft Suffers Cyber Attack
Persistent Threat Looms after Microsoft Suffers Cyber Attack

Persistent Threat after Microsoft Data Violation: Security Concerns Continue

In a significant cybersecurity alert, a zero-day vulnerability named CVE-2025-53770 has been discovered in Microsoft's SharePoint software. This vulnerability, rated 9.8 on the CVSS scale, almost the maximum value of 10, poses a high risk to on-premises SharePoint infrastructure, particularly for small and medium-sized enterprises (SMEs) operating their own servers.

Microsoft released emergency security patches on July 20, 2025, following the detection of active exploitation campaigns that breached over 75 organizations, including U.S. federal agencies and universities. The vulnerability allows unauthenticated remote code execution on SharePoint Server 2016, 2019, and Subscription Edition.

To mitigate the risk, SMEs are advised to take immediate action. Here are key protective measures and recommendations:

  1. Apply Microsoft’s latest security patches immediately: Patching your SharePoint servers is crucial to prevent attackers from exploiting the deserialization flaw, which allows them to bypass authentication and execute malicious code remotely.
  2. Verify your SharePoint environment: Ensure you are running on-premises SharePoint Servers, as SharePoint Online and Microsoft 365 services are not affected by this vulnerability.
  3. Monitor for suspicious activity: Attackers can forge trusted payloads and blend their behavior with legitimate SharePoint operations. SMEs should enable detailed endpoint logging and network monitoring for anomalous web requests, particularly targeting the endpoint with forged Referer headers.
  4. Limit external exposure: Restrict external network access to SharePoint servers where possible to reduce the attack surface.
  5. Deploy additional security controls: Utilize endpoint detection and response (EDR) tools, web application firewalls (WAFs), and intrusion detection/prevention systems (IDS/IPS) to detect or block attack vectors exploiting this flaw.
  6. Stay informed: Follow advisories from Microsoft, cybersecurity agencies such as CISA, and trusted security vendors to apply any further mitigation or detection guidance as it becomes available.

Unpatched SharePoint servers must be updated promptly or alternative protective measures should be taken. The danger from the SharePoint vulnerability is not yet over, with criminal groups now using compromised access to prepare targeted ransomware attacks.

Germany ranks third worldwide in confirmed cases of the attack, and German SMEs should be particularly vigilant about the risk posed by the vulnerability. The US agency CISA urges companies to act quickly, either by installing the patch or disconnecting affected servers from the internet.

The attack was not random or opportunistic; the attackers targeted specific systems intentionally. Attackers have gained extensive access to systems through the vulnerability, allowing not only data reading, but also manipulation and espionage.

In the investigation, US agencies such as the FBI and the Cyber Command of the Department of Defense are involved. Charles Carmakal, chief technology officer of Google's security firm Mandiant, suggested at least one perpetrator is a threat actor associated with China. The attackers also use spoofing techniques to conceal their identity.

To prevent further damage, Eye Security recommends taking compromised systems off the network or isolating them. The first wave of attacks was started by groups from China, including Lien Typhoon, Violet Typhoon, and Storm-2603.

By swiftly patching, monitoring, and restricting access, SMEs can mitigate the high risk that CVE-2025-53770 poses to their on-premises SharePoint infrastructure.

This article was written by Dominik Hochwarth, Editor at VDI Verlag.

References: [1] Microsoft Security Response Centre Blog: https://msrc-blog.microsoft.com/2025/07/20/msrc-advance-notification-july-2025-cve-2025-53770/ [2] CISA Alert: https://us-cert.cisa.gov/ncas/alerts/aa25-257a [3] Mandiant Threat Intelligence: https://www.mandiant.com/resources/threat-intelligence-centre/threat-groups/apex-kitten [4] Eye Security Advisory: https://www.eye.si/en/blog/sharepoint-zero-day-vulnerability-cve-2025-53770/

  1. The dangerous CVE-2025-53770 vulnerability, discovered in Microsoft's SharePoint software, necessitates immediate attention, particularly for small and medium-sized enterprises (SMEs), as it provides an opportunity for unauthenticated remote code execution, which can lead to significant energy consumption due to the actions of malicious actors.
  2. In an effort to maintain the integrity of their on-premises SharePoint infrastructure, SMEs should prioritize the application of Microsoft's emergency security patches and the implementation of additional protective measures such as detailed logging, network monitoring, and the deployment of security controls like EDR tools, WAFs, and IDS/IPS, to ensure continuous energy efficiency in the face of the high risk posed by CVE-2025-53770.

Read also:

    Related

    Latest